Testing online virus-scanners and file shares for XSS

Filesharing services are a convenient way to get a file from A to B without much hassle. The rise of Dropbox, WebRTC, and other technologies don’t seem to have impaired the market for free file sharing, and there is still tons of ad-financed services around. Most of them don’t look much sophisticated. Therefore I decided to test they are vulnerable to one of the most basic attacks: XSS.

The vector I used in most cases was quite simple: Under most file systems, one can create files that have all the ingredients for XSS in their name. So I uploaded files that were named something like “<img src=# onerror=alert()>.png” and tested if the XSS is executed in the browser of somebody who clicks on the file-sharing link.

Most services are free to use and ad-financed and therefore have no login that could be exploited. Some have premium accounts, however. If one of the premium users visits an XSS’ed file, the attacker might be able to steal their login and gain control of the victim’s account. I basically tested the first two pages of Google search results for “file share”.

I managed to find XSS in 6 online file-sharing services. Besides the file shares, Android App Security scanners also seemed to be exciting and I found 3 of them to be vulnerable. All issues were reported on the 26th of May 2018.

File shares

wesendit.info

Risk: High, Open: Yes, Reaction Time: n.a.
A file named <img src=# onerror="alert()">.pdf will execute JavaScript when the victim views the download page. Since wesendit offers logins, this XSS is potentially dangerous. The operator did not react or fix the problem.

dropbox.uconn.edu

Risk: High, Open: Yes, Reaction Time: 41 days
The University of Connecticut runs a file share website that seems to be restricted to students. Despite that, anybody can upload files and create links. A file named <img src=# onerror=alert()>.pdf will execute JavaScript when the victim views the download page. Since students are asked to log in before upload with their central university-issued account, I believe the XSS could be a threat to any student visiting a tampered link. I repeatedly mailed the IT department and finally reveived an answer. I find it hilarious.

Hello Ciko,
Thank you for contacting the ITS Help Center for your IT support needs.
Your ticket number is [redacted] for your inquiry regarding Fwd: Security Issue: XSS on dropbox.uconn.edu.
In order to process your request, we need the following information:
He's probably right. It's likely that he's a bug bounty hunter. They look for exploits like we probably have there, tell you about them and then ask for a reward. This is unusual because they usually tell you something about it, but not exactly what it is so they can hold the information back in demand for a reward. I'm not too concerned with the email, though it's likely the exploit would work. Is everything updated on the dropbox end, Mark?
Your ticket will be on hold until we hear back from you.
Information Technology Services
http://helpcenter.uconn.edu
CHAT with a representative at helpcenter.uconn.edu
Phone: (860) 486-HELP (4357)

takeafile.com

Risk: High, Open: No, Reaction Time: 12 days
A file named <img src=# onerror=alert()>.pdf will execute JavaScript when the victim views the download page. Since takeafile offers logins, this XSS is potentially dangerous. The team reacted with a grateful email after 12 days and fixed the issue.

expirebox.com

Risk: Low, Open: Yes, Reaction Time: 1 day
A file named <img src=# onerror=alert()>.blend will execute JavaScript when the victim views the download page. Expirebox offers no logins that could be stolen. The operator reacted with a hilarious email; the issue is still unfixed.

FROM: [Redacted] <[redacted].net@gmail.com>
You think that we don’t know this?
Please we have a lot of other things to do now,
Expirebox is not Facebook, all world’s people can be safe for now.
Mail priva di virus. www.avast.com

pasteall.org

Risk: Low, Open: Yes, Reaction Time: n.a.
A file named <img src=# onerror=alert()>.blend will execute JavaScript when the victim views the download page. Pasteall offers no logins that could be stolen. The issue is still unfixed.

tinyupload.com

Risk: Low, Open: Yes, Reaction Time: n.a.
A file named <img src=# onerror=alert()>.pdf will execute JavaScript when the victim views the download page. Tinyupload offers no logins. Therefore user data should not be at risk. The problem is still unfixed.

Android Application Scanners

andrototal.org

Risk: High, Open: No, Reaction Time: 3 days
An APK file signed with a tampered certificate could trigger an XSS on the andrototal scan results page. To trigger the issue, the victim had to click on the scan results -> Logcat page. Since andrototal offers logins, user data were at risk. The issue was fixed shortly after and the operator even asked to credit me.

sanddroid.xjtu.edu.cn

Risk: Low, Open: Yes, Reaction Time: n.a.
An APK file signed with a tampered certificate can trigger an XSS on the sanddroid main scan results page. The issue is still present. The page offers no logins, so user-data should be safe.

apprisk.newskysecurity.com

Risk: Low, Open: Yes, Reaction Time: n.a.
With an APK file that has a tampered filename, an XSS can be triggered on apprisk.newskysecurity.com. The operator did not react to the issue. The page offers a login, but uploads are always private - I doubt the issue could be used to exfiltrate user data.

To efficiently generate an APK file that has XSS vectors in the signing certificate, you can use my apksign tool.
Happy hacking.